Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38461: WordPress WPML Multilingual CMS premium plugin <= 4.5.10 - Broken Access Control vulnerability - Patchstack

Broken Access Control vulnerability in WPML Multilingual CMS premium plugin <= 4.5.10 on WordPress allows users with a subscriber or higher user role to change plugin settings (selected language for legacy widgets, the default behavior for media content).

CVE
Open in Source
#vulnerability#wordpress#auth

Verified

Fixed

5.4

CVSS 3.1 score Medium severity

Report

Monitoring Not reported to be exploited

Software

Multilingual CMS

Vulnerable versions

<= 4.5.10

PSID

55efe4d16b5c

Classification

Other Vulnerability Type

OWASP Top 10

A5: Broken Access Control

Required privilege

Requires subscriber or higher role user authentication.

Publicly disclosed

2022-11-09

Details

Broken Access Control vulnerability leading to plugin settings change (selected language for legacy widgets can be changed, and default behavior for media content can be changed) discovered by Dave Jong in WordPress WPML Multilingual CMS premium plugin (versions <= 4.5.10).

Solution

Update the WordPress Multilingual CMS plugin to the latest available version (at least 4.5.11).

References

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE